Channels

Services

Auto-complete: browsers disclose private data - Update

In the run-up to his presentation at the Black Hat conference, Jeremiah Grossman of White Hat Securitytold The Register that users who allow their browsers to auto-complete frequently used form fields, such as names or email addresses, may become an easy target for data thieves. For instance, auto-complete data can reportedly be retrieved automatically via JavaScript in Safari 4 and 5.

To exploit the flaw a crafted web page is created with various input fields with such typical labels as name, email address or credit card number. A script is created which tries out all possible first letters in these fields. This triggers the auto-complete feature which kicks in once the first character has been entered. If the browser auto-completes the letter to make a word, the script processes the entered value. This can even be done invisibly via hidden form fields.

Grossman informed Apple about the data leak on the 17th of June but says that so far he has not received any reply, other than an automated confirmation of receipt. A similar form of this attack scenario is already familiar from versions 6 and 7 of Microsoft Internet Explorer. In combination with cross-site scripting, Chrome and Firefox are also said to be vulnerable. There, attackers can even obtain data which the browsers' auto-complete feature only enters into the relevant web page – such as a user's log-in information, as already demonstrated in the article entitled "Password stealing for dummies" from The H Open.

At the Black Hat conference, Grossman will also demonstrate that arbitrary web pages can destroy all the cookies stored in a browser. To achieve this, a large number of cookies are sent to the browser. Once a certain number is reached the oldest cookies will simply be overwritten – regardless of their origin. In Firefox, for instance, after 2.5 seconds and 3,000 new cookies, no original cookies are left .

Update - Grossman has now published proof-of-concept code and a demo video on his blog. In a test run by The H's associates at heise Security, the script reliably disclosed the name, company, city, state, country and email address of the currently logged in user within half a minute. The test was run using version 5.0 of Safari on Windows 7.